The historic default for Idle Session timeout has always been 72 hours which security experts feel is excessively long and was called out as a “negative” on security reviews. Based on that feedback, and “heated” requests from larger security conscious customers, we made the Session timeout value configurable with a 12 hour default vs the previous 72 hour hard coded setting.
We failed to flag this on the Release Notes as an important item - sorry about that. Security hardening a system can be controversial and we often find ourselves walking a fine line between usability and security best practices. In this case, we hardened the system and left the original timeout setting as an option. Allowing a longer timeout period was counter to the intent of the work done and we frankly never expected that someone would want an application (and the Server Session reference) to be valid for more than 3 days with no usage.
I know of 1 customer that has this value set to less than an hour and several others that have the setting at 120 minutes or less. For them, the security of the system is more important than the annoyance factor imposed on their users.